From a11dc2f0a347cbb9bb5baaf7365ece67c27feb66 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Mon, 19 Jan 2015 18:11:54 +0100
Subject: [PATCH] grsecurity: Add `denyUSB` option to grsec NixOS module

The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
---
 nixos/modules/security/grsecurity.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 5c8c4993951..d0c7fa6ec28 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -156,6 +156,24 @@ in
           '';
         };
 
+        denyUSB = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
+
+            This enables a sysctl with name
+            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
+            its value to <literal>1</literal> will prevent any new USB
+            devices from being recognized by the OS.  Any attempted
+            USB device insertion will be logged.
+
+            This option is intended to be used against custom USB
+            devices designed to exploit vulnerabilities in various USB
+            device drivers.
+          '';
+        };
+
         restrictProc = mkOption {
           type = types.bool;
           default = false;